Is there anything more you need from me?
I have tested this with old Kernel releases, as well as Net-next and the FTP
alg does not seem to respect the masquerade --to-ports option.
e.g
echo 1 > /proc/sys/net/netfilter/nf_conntrack_helper
iptables -t nat -I POSTROUTING -o enp0 -j MASQUERADE -p
Baruch Siach wrote:
> Pablo Neira Ayuso writes:
> >> > This is updating a cached copy of the kernel headers, we basically
> >> > copy kernel headers and place in the userspace tree to make sure that
> >> > iptables compiles standalone, without the need for kernel-headers to
> >> > be installed in
Hi Pablo,
Pablo Neira Ayuso writes:
> On Sat, Nov 17, 2018 at 10:28:56PM +0200, Baruch Siach wrote:
>> Pablo Neira Ayuso writes:
>> > On Fri, Nov 16, 2018 at 09:30:33AM +0200, Baruch Siach wrote:
>> >> Commit 672accf1530 (include: update kernel netfilter header files)
>> >> updated
Hi,
In order to improve performance in 'nft -f' as well as xtables-restore
with very large rulesets, we need to store rules by chain they belong
to. In order to avoid pointless code duplication, this should be
supported by libnftnl.
Looking into the topic, it seems like extending struct
On Tue, 20 Nov 2018 at 06:19, Florian Westphal wrote:
>
Hi Florian!
Thank you for the review!
> Taehee Yoo wrote:
> > register_{netdevice/inetaddr/inet6addr}_notifier returns value that
> > could be error value. so that error handling code are needed.
>
> Nothing should break without those
Taehee Yoo wrote:
> register_{netdevice/inetaddr/inet6addr}_notifier returns value that
> could be error value. so that error handling code are needed.
Nothing should break without those notifiers in place though.
> /* check if the notifier was already set */
> if
On Sat, Nov 17, 2018 at 10:28:56PM +0200, Baruch Siach wrote:
> Hi Pablo,
>
> Pablo Neira Ayuso writes:
> > On Fri, Nov 16, 2018 at 09:30:33AM +0200, Baruch Siach wrote:
> >> Commit 672accf1530 (include: update kernel netfilter header files)
> >> updated linux/netfilter.h and brought with it the
register_{netdevice/inetaddr/inet6addr}_notifier returns value that
could be error value. so that error handling code are needed.
Signed-off-by: Taehee Yoo
---
.../net/netfilter/ipv4/nf_nat_masquerade.h| 2 +-
.../net/netfilter/ipv6/nf_nat_masquerade.h| 2 +-
On Mon, Nov 19, 2018 at 12:55:48PM +0100, Florian Westphal wrote:
> Pablo Neira Ayuso wrote:
> > # nft list chain x y
> > Error: No such file or directory; did you mean table ‘x’ in family ‘inet’?
> > list chain x y
>
> Perhaps make this
> "...; did you mean 'inet x'?"
Yes. I just pushed out
# nft list chain x y
Error: No such file or directory; did you mean chain ‘y’ in table inet ‘x’?
list chain x y
^
Signed-off-by: Pablo Neira Ayuso
---
include/rule.h | 3 +++
src/evaluate.c | 31 ++-
src/rule.c | 18 ++
3 files
# nft rule x y ip saddr @y
Error: No such file or directory; did you mean set ‘y’ in table inet ‘x’?
rule x y ip saddr @y
^^
Signed-off-by: Pablo Neira Ayuso
---
include/rule.h | 3 +++
src/evaluate.c | 68 +++---
# nft rule x y ip saddr @y
Error: No such file or directory; did you mean set ‘y’ in table inet ‘x’?
rule x y ip saddr @y
^^
Signed-off-by: Pablo Neira Ayuso
---
include/rule.h | 3 +++
src/evaluate.c | 68 +++---
Pablo Neira Ayuso wrote:
> # nft list chain x y
> Error: No such file or directory; did you mean table ‘x’ in family ‘inet’?
> list chain x y
Perhaps make this
"...; did you mean 'inet x'?"
Other than this nit, this looks like a good improvement, thanks!
# nft list chain x y
Error: No such file or directory; did you mean chain ‘y’ in family ‘inet’?
list chain x y
^
Signed-off-by: Pablo Neira Ayuso
---
include/rule.h | 2 ++
src/evaluate.c | 29 -
src/rule.c | 15 +++
3 files changed,
This patch adds simple infrastructure to provide a hints to user on
references to incorrect table. While at it, remove "Could not process
rule:" which I think it is implicit in the error.
Signed-off-by: Pablo Neira Ayuso
---
include/rule.h | 2 ++
src/evaluate.c | 111
This patch adds simple infrastructure to provide a hints to user on
references to incorrect table. While at it, remove "Could not process
rule:" which I think it is implicit in the error.
Signed-off-by: Pablo Neira Ayuso
---
This is aiming to address:
# nft list chain x y
Error: No such file or directory; did you mean table ‘x’ in family ‘inet’?
list chain x y
^
Signed-off-by: Pablo Neira Ayuso
---
include/rule.h | 2 ++
src/evaluate.c | 29 -
src/rule.c | 15 +++
3 files changed,
On Sat, Nov 17, 2018 at 07:14:57PM +0100, Pablo Neira Ayuso wrote:
> On Sat, Nov 17, 2018 at 09:19:52PM +0900, Xin Long wrote:
> > On Sat, Nov 17, 2018 at 8:15 PM Pablo Neira Ayuso
> > wrote:
> > >
> > > On Fri, Nov 16, 2018 at 06:37:19AM -0800, Simon Horman wrote:
> > > > On Fri, Nov 16, 2018
On Mon, 19 Nov 2018 at 02:15, Randy Dunlap wrote:
>
> On 11/18/18 6:39 AM, Taehee Yoo wrote:
> > xt_TEE.c needs nf_dup_ipv6.c to support ipv6 packet duplication.
> > So that if xt_TEE is enabled, nf_dup_ipv6 will be automatically selected.
> > But there is build failure scenario.
> >
> > test
On 11/18/18 6:39 AM, Taehee Yoo wrote:
> xt_TEE.c needs nf_dup_ipv6.c to support ipv6 packet duplication.
> So that if xt_TEE is enabled, nf_dup_ipv6 will be automatically selected.
> But there is build failure scenario.
>
> test config:
> CONFIG_NETFILTER_XT_TARGET_TEE=y
> CONFIG_NF_DUP_IPV6=m
>
xt_TEE.c needs nf_dup_ipv6.c to support ipv6 packet duplication.
So that if xt_TEE is enabled, nf_dup_ipv6 will be automatically selected.
But there is build failure scenario.
test config:
CONFIG_NETFILTER_XT_TARGET_TEE=y
CONFIG_NF_DUP_IPV6=m
compile result:
net/netfilter/xt_TEE.o: In function
since commit d9c6a5d0977a6d8bbe772dbc31a2c4f58eec1708
("xtables: merge {ip,arp}tables_command_state structs") arptables
uses the shared representation.
With only minor changes (e.g., use generic counters in command_state),
in print/save functions we can use the shared nftnl expression parser
too.
Hi Pablo,
Pablo Neira Ayuso writes:
> On Fri, Nov 16, 2018 at 09:30:33AM +0200, Baruch Siach wrote:
>> Commit 672accf1530 (include: update kernel netfilter header files)
>> updated linux/netfilter.h and brought with it the update from kernel
>> commit a263653ed798 (netfilter: don't pull
Baruch Siach wrote:
> Commit 7c8791edac3 ("xtables-monitor: fix build with older glibc")
> changed the code to use GNU style tcphdr fields. Unfortunately, musl
> libc requires _GNU_SOURCE definition to expose these fields.
>
> Fix the following build failure:
Applied, thanks.
Commit 7c8791edac3 ("xtables-monitor: fix build with older glibc")
changed the code to use GNU style tcphdr fields. Unfortunately, musl
libc requires _GNU_SOURCE definition to expose these fields.
Fix the following build failure:
xtables-monitor.c: In function ‘trace_print_packet’:
Hi Baruch,
On Fri, Nov 16, 2018 at 09:30:33AM +0200, Baruch Siach wrote:
> Commit 672accf1530 (include: update kernel netfilter header files)
> updated linux/netfilter.h and brought with it the update from kernel
> commit a263653ed798 (netfilter: don't pull include/linux/netfilter.h
> from netns
On Thu, Nov 15, 2018 at 02:53:02PM +0100, Phil Sutter wrote:
> Being able to omit the previously obligatory table name check when
> iterating over the chain cache might help restore performance with large
> rulesets in xtables-save and -restore.
>
> There is one subtle quirk in the code:
These definitions should be const, propagate this to all existing users.
Signed-off-by: Pablo Neira Ayuso
---
iptables/nft.c | 42 +-
iptables/nft.h | 14 +++---
iptables/xtables-restore.c | 4 ++--
Use enum nft_table_type to set the new type field in the structure that
define tables.
---
iptables/nft.c | 8
iptables/nft.h | 1 +
2 files changed, 9 insertions(+)
diff --git a/iptables/nft.c b/iptables/nft.c
index 5e55ec13d0da..db86f97c6d29 100644
--- a/iptables/nft.c
+++
Place this back into the structure that stores the state information.
Signed-off-by: Pablo Neira Ayuso
---
iptables/nft.c | 26 +-
iptables/nft.h | 4 +++-
2 files changed, 16 insertions(+), 14 deletions(-)
diff --git a/iptables/nft.c b/iptables/nft.c
index
Move this to the structure that stores, stateful information. Introduce
nft_table_initialized() and use it.
Signed-off-by: Pablo Neira Ayuso
---
iptables/nft.c | 14 ++
iptables/nft.h | 2 +-
2 files changed, 11 insertions(+), 5 deletions(-)
diff --git a/iptables/nft.c
On Fri, Nov 16, 2018 at 09:32:35PM +0900, Taehee Yoo wrote:
> In the htable_create(), hinfo is allocated by vmalloc()
> So that if error occurred, hinfo should be freed.
Applied, thanks Taehee.
In the htable_create(), hinfo is allocated by vmalloc()
So that if error occurred, hinfo should be freed.
Fixes: 11d5f15723c9 ("netfilter: xt_hashlimit: Create revision 2 to support
higher pps rates")
Signed-off-by: Taehee Yoo
---
net/netfilter/xt_hashlimit.c | 9 +++--
1 file changed, 3
Compliment of the day to you Dear Friend.
Dear Friend.
I am Mrs. Amina Kadi. am sending this brief letter to solicit your
partnership to transfer $5.5 million US Dollars. I shall send you
more information and procedures when I receive positive response from
you.
Mrs. Amina Kadi
Commit 672accf1530 (include: update kernel netfilter header files)
updated linux/netfilter.h and brought with it the update from kernel
commit a263653ed798 (netfilter: don't pull include/linux/netfilter.h
from netns headers). This triggers conflict of headers that is fixed in
kernel commit
Hi!
I'm honored to present
nftlb 0.3
nftlb stands for nftables load balancer, a user space tool
that builds a complete load balancer and traffic distributor
using the nft infrastructure.
nftlb is a nftables rules manager that creates virtual services
for load balancing at layer 2, layer 3
Hi Wenxian,
On Thu, Nov 15, 2018 at 11:16:49PM +0800, wenxian li wrote:
> I was running iptables on different namespaces and met such error
> "Another app is currently holding the xtables lock. Perhaps you want
> to use the -w option?".
>
> After googling it, I found this enhancement introduces
Hi Guys,
I was running iptables on different namespaces and met such error
"Another app is currently holding the xtables lock. Perhaps you want
to use the -w option?".
After googling it, I found this enhancement introduces the lock
mechanism: "xtables: Add locking to prevent concurrent
Being able to omit the previously obligatory table name check when
iterating over the chain cache might help restore performance with large
rulesets in xtables-save and -restore.
There is one subtle quirk in the code: flush_chain_cache() did free the
global chain cache if not called with a table
Tom Cook wrote:
> For a `struct ipt_entry` that I have retrieved using iptc_next_rule
[..]
Please don't do this, use ip(6)tables-restore instead.
You can pipe input to it and you can use --noflush option for
batch processing, including multiple deletes/adds/inserts etc.
libiptc doesn't do some
Or, as an alternative way of saying the same thing, can someone please
explain why this doesn't delete all rules from my INPUT chain:
extern "C" {
#include
#include
#include
}
#include
#include
using namespace std;
int main() {
auto h = iptc_init("filter");
if (h == 0) {
std::cout
Being able to omit the previously obligatory table name check when
iterating over the chain cache might help restore performance with large
rulesets in xtables-save and -restore.
There is one subtle quirk in the code: flush_chain_cache() did free the
global chain cache if not called with a table
Dragi prijatelju,
Mi smo tvrtka za investicijsko savjetovanje. Želimo vas obavijestiti da
imamo
investitora koji mogu osigurati financije za sve projekte u vašoj zemlji
bez vlasnika projekta koji putuju nigdje. Ovo je novo financiranje
opcija sada i pomislila sam na vas i odlučila vas napisati i
Hi Florian,
Florian Westphal writes:
> Baruch Siach wrote:
>> glibc older than 2.19 require _BSD_SOURCE to expose BSD style fields of
>> struct tcphdr. Fix the following build failure:
>>
>> xtables-monitor.c: In function 'trace_print_packet':
>> xtables-monitor.c:406:43: error: 'const struct
Baruch Siach wrote:
> glibc older than 2.19 require _BSD_SOURCE to expose BSD style fields of
> struct tcphdr. Fix the following build failure:
>
> xtables-monitor.c: In function 'trace_print_packet':
> xtables-monitor.c:406:43: error: 'const struct tcphdr' has no member named
> 'th_sport'
>
Attention,
I am Mr. David Jim Brown, Head Officer-in-Charge, Administrative Service
Inspection Unit United Nations Inspection Agency in Hartsfield-Jackson
International Airport Atlanta, Georgia. During our investigation, I discovered
an abandoned shipment through a Diplomat from United
glibc older than 2.19 require _BSD_SOURCE to expose BSD style fields of
struct tcphdr. Fix the following build failure:
xtables-monitor.c: In function 'trace_print_packet':
xtables-monitor.c:406:43: error: 'const struct tcphdr' has no member named
'th_sport'
printf("SPORT=%d DPORT=%d ",
For a `struct ipt_entry` that I have retrieved using iptc_next_rule
and which I want to delete from its table, how should I construct the
matchmask parameter to iptc_delete_entry?
As far as I can tell from reading make_delete_mask, the mask should be
the same size as the ipt_entry (including all
I hope know kernel's change,so I want to read these important mail.
I hope know the change of netfilter module
On Wed, Nov 14, 2018 at 07:35:28AM +0100, Adam Gołębiowski wrote:
> commit 61d6c3834de32c0ff5808c93da94b2b30b4791c8 introduced support
> for gcc feature to check format string against passed argument.
> This commit adds missing bits to extenstions's libipt_icmp.c and
> libip6t_icmp6.c that were
commit 61d6c3834de32c0ff5808c93da94b2b30b4791c8 introduced support
for gcc feature to check format string against passed argument.
This commit adds missing bits to extenstions's libipt_icmp.c and
libip6t_icmp6.c that were causing build to fail.
Signed-off-by: Adam Gołębiowski
---
On Tue, Nov 13, 2018 at 07:22:08PM +0200, Baruch Siach wrote:
> Build with musl libc fails because of conflicting struct ethhdr
> definitions:
>
> In file included from .../sysroot/usr/include/net/ethernet.h:10:0,
> from ../iptables/nft-bridge.h:8,
> from
Build with musl libc fails because of conflicting struct ethhdr
definitions:
In file included from .../sysroot/usr/include/net/ethernet.h:10:0,
from ../iptables/nft-bridge.h:8,
from libebt_vlan.c:18:
.../sysroot/usr/include/netinet/if_ether.h:107:8: error:
Hi!
The Netfilter project proudly presents:
libnftnl 1.1.2
libnftnl is a userspace library providing a low-level netlink
programming interface (API) to the in-kernel nf_tables subsystem.
This library is currently used by the nft command line tool.
This release adds supports for new kernel
Applied including Stefano's minor nitpick. Thanks.
On Tuesday 2018-11-13 12:18, Pablo Neira Ayuso wrote:
>Looks good, may I include your Signed-off-by tag?
Oh yeah, this is "kernel land" where it's needed ;-)
Please also consider folding in Stefano's comment about one "an".
Signed-off-by: Jan Engelhardt
>On Tue, Nov 13, 2018 at 11:53:30AM
While at it,
On Tue, 13 Nov 2018 11:53:30 +0100
Jan Engelhardt wrote:
> @@ -689,10 +690,10 @@ in. The second form specifies a reference to a named
> counter object.
> "value":* 'EXPRESSION'
> *}}*
>
> -Change packet data or meta info.
> +This changes the packet data or meta info.
>
Looks good, may I include your Signed-off-by tag?
On Tue, Nov 13, 2018 at 11:53:30AM +0100, Jan Engelhardt wrote:
> ---
> Additional fixes on top of V. Skyttä's patch: lots of "a", "the", etc.
> missing, wrong prepositions addressed. Contractions are expanded for
> better write style.
>
>
On Sun, Nov 11, 2018 at 11:52:58PM -0800, Matt Turner wrote:
> On Thu, Nov 1, 2018 at 4:29 PM Pablo Neira Ayuso wrote:
> >
> > On Wed, Oct 31, 2018 at 07:18:04PM -0700, Matt Turner wrote:
> > > On Fri, Oct 19, 2018 at 11:09 AM Matt Turner wrote:
> > > > If you wouldn't mind, now might be a good
Hi!
The Netfilter project proudly presents:
iptables 1.8.2
This release contains the following fixes and enhancements:
iptables-nft:
- fix bogus handling of '-s 0.0.0.0/8' and the like.
- fix the '-f' option
- fix wildcard interface matching
ebtables-nft:
- add support for 'arpreply'
---
Additional fixes on top of V. Skyttä's patch: lots of "a", "the", etc.
missing, wrong prepositions addressed. Contractions are expanded for
better write style.
doc/data-types.txt | 6 +-
doc/libnftables-json.adoc | 145 +++--
doc/libnftables.adoc
Applied, thanks Ville.
Signed-off-by: Ville Skyttä
---
doc/data-types.txt | 2 +-
doc/libnftables-json.adoc | 4 ++--
doc/libnftables.adoc| 2 +-
doc/nft.txt | 6 +++---
doc/primary-expression.txt | 2 +-
tests/json_echo/run-test.py | 2 +-
6 files changed, 9 insertions(+), 9
On Fri, Oct 19, 2018 at 12:27:57AM +0900, Taehee Yoo wrote:
> xt_rateest_net_exit() was added to check whether rules are flushed
> successfully. but ->net_exit() callback is called earlier than
> ->destroy() callback.
> So that ->net_exit() callback can't check that.
>
> test commands:
>%ip
nft_compat ops do not have static storage duration, unlike all other
expressions.
When nf_tables_expr_destroy() returns, expr->ops might have been
free'd already, so we need to store next address before calling
expression destructor.
For same reason, we can't deref match pointer after
Phil Sutter wrote:
> Boolean AND was applied instead of binary one, causing the exclamation
> mark to be printed whenever info->bitmask was non-zero. In practice,
> this leads to incorrect output if e.g. --among-src was given with an
> inverted match as well as --among-dst with a non-inverted
Doesn't affect iptables-translate, but nft (when built with
xtables support).
Current nftables may print the buffer withput checking if
the ->xlate() callback returned 0, so ->data with garbage/random
content can be printed.
Signed-off-by: Florian Westphal
---
libxtables/xtables.c | 1 +
1
Boolean AND was applied instead of binary one, causing the exclamation
mark to be printed whenever info->bitmask was non-zero. In practice,
this leads to incorrect output if e.g. --among-src was given with an
inverted match as well as --among-dst with a non-inverted one. Output
would then list
On Wed, Nov 07, 2018 at 12:32:34AM +0900, Taehee Yoo wrote:
> In this patch series, duplicate code in nf_flow_table_core.c are removed.
>
> First patch makes nf_flow_table_iterate() static because
> that is local function.
>
> Second patch makes nf_flow_offfload_gc_step() simplier.
> Both
On Mon, Nov 12, 2018 at 03:02:52PM +0100, Phil Sutter wrote:
> Documentation for add rule command might trick readers into believing
> the optional 'index' argument does not need to be that of an existing
> rule. This false assumption is fueled by the fact that iptables allows
> to insert with
These are very very (for long time unused) caching infrastructure
definition, remove then. They have nothing to do with the NFC subsystem.
Signed-off-by: Pablo Neira Ayuso
---
include/uapi/linux/netfilter.h| 4
include/uapi/linux/netfilter_decnet.h | 10 --
On Sun, Nov 04, 2018 at 12:07:14PM +0100, Florian Westphal wrote:
> Its possible to set both HANDLE and POSITION when replacing a rule.
> In this case, the rule at POSITION gets replaced using the
> userspace-provided handle. Rule handles are supposed to be generated
> by the kernel only.
>
>
On Wed, Oct 31, 2018 at 06:26:19PM +0100, Florian Westphal wrote:
> This fixes a packet path vs. control plane race caused by
> a bogus optimization: When chain is going away we must not
> elide updating rules[next_generation]. If we do, then access
> to the 'next generation' really access an old
On Mon, Nov 05, 2018 at 03:42:45AM +0900, Taehee Yoo wrote:
> Three bugs in nf_conncount are fixed by this patch series.
>
> First patch fixes inconsistent lock state in conn_free().
> conn_free() is called both BH and process context. so that
> spin_lock_bh() should be used.
>
> Second patch
On Thu, Oct 25, 2018 at 11:55:48PM +0900, Taehee Yoo wrote:
> Two bugs in nf_conncount are fixed by this patch series.
>
> First patch fixes inconsistent lock state in conn_free().
> conn_free() is called both BH and process context. so that
> spin_lock_bh() should be used.
>
> Second patch
old: arptables vlibxtables.so.12 (nf_tables)
now: arptables 1.8.1 (nf_tables)
Signed-off-by: Florian Westphal
---
iptables/xtables-arp.c | 25 +++--
1 file changed, 15 insertions(+), 10 deletions(-)
diff --git a/iptables/xtables-arp.c b/iptables/xtables-arp.c
index
You can run 'arptables-legacy -t foobar' and commands work fine,
as it still operates on filter table (the only table that exists).
Signed-off-by: Florian Westphal
---
iptables/xtables-arp.c | 5 -
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/iptables/xtables-arp.c
Signed-off-by: Florian Westphal
---
iptables/xtables-arp.c | 12 ++--
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/iptables/xtables-arp.c b/iptables/xtables-arp.c
index bde35e5dcb9c..6a095bfd1629 100644
--- a/iptables/xtables-arp.c
+++ b/iptables/xtables-arp.c
@@ -233,12
Unicast being shown as '00:00:00:00:00:00/01:00:00:00:00:00' looks like
broken output, however, arptables classic did not pretty-print either.
Also add test cases for all targets supported by the original
arptables tool:
-j CLASSIFY
-j MARK
-j mangle
[ yes, mangle target is lower-case 8-( ]
1. check both address and mask, not just first byte of mac
2. use add_addr() for this so mask is also handled via bitwise expr.
3. use the correct offsets.
4. add dissector so we can reverse translate the payload expressions
generated for this.
Signed-off-by: Florian Westphal
---
Signed-off-by: Florian Westphal
---
iptables-test.py | 11 ++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/iptables-test.py b/iptables-test.py
index 34a040422ce7..532dee7c9000 100755
--- a/iptables-test.py
+++ b/iptables-test.py
@@ -17,10 +17,12 @@ import argparse
to check -s 1.2.3.4, we need to add the size of the hardware address
to the arp header to obtain the offset where the ipv4 address begins:
base_arphdr
HW_ADDR
IP_ADDR (src)
IP_ADDR (target)
In arptables-classic, the kernel will add dev->addr_len to the
arp header base address to obtain the
arptables -D fails most of the time, as we compared
source mask with target mask.
Signed-off-by: Florian Westphal
---
iptables/nft-arp.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c
index f9352297d83b..675f0eb9daa6 100644
---
--dst-ip checks the first four octets of the target mac.
Format of ipv4 arp is:
arphdr (htype, ptype...)
src mac
src ip
target mac
target ip
So we need to add hlen (6 bytes) a second time
(arphdr + 6 + 4 + 6) to get correct offset.
Signed-off-by: Florian Westphal
---
iptables/nft-arp.c | 5
also handle negations in other cases.
Still to be resolved: mask handling for other options such as hlen.
Signed-off-by: Florian Westphal
---
iptables/nft-arp.c | 20 ++--
1 file changed, 14 insertions(+), 6 deletions(-)
diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c
This isn't a missing feature in the -nft version,
neither plen and -m were ever implemented in arptables-legacy.
Signed-off-by: Florian Westphal
---
iptables/xtables-arp.c | 34 +++---
1 file changed, 3 insertions(+), 31 deletions(-)
diff --git
arptables classic doesn't have arptables-save, it only has a perl
script that attempts to emulate iptables-save. It supports no options,
and thus has no way to dump counters. Add -c option, like iptables to
enable this.
Signed-off-by: Florian Westphal
---
iptables/nft-arp.c | 17
arptables-save will show
-A OUTPUT --h-length 6 --h-type 1 -j MARK --set-xmark 0x1/0x
as
--h-length 6 --h-type Ethernet -j MARK MARK set 0x1
Because it uses ->print() instead of ->save().
Switch it to use ->save, we can then also drop special handling of
CLASSIFY target.
Signed-off-by:
This series adds test cases for arptables-nft and fixes various bugs that
got uncovered here.
extensions/libarpt_CLASSIFY.t |4 +
extensions/libarpt_MARK.t |4 +
extensions/libarpt_mangle.c |6 +
extensions/libarpt_mangle.t |5 +
extensions/libarpt_standard.t | 14
Documentation for add rule command might trick readers into believing
the optional 'index' argument does not need to be that of an existing
rule. This false assumption is fueled by the fact that iptables allows
to insert with last rule number + 1 to actually append to a chain.
Change the relevant
This allows gcc to check format string vs. passed arguments.
Fix the fallout from this as well, typical warning produced is:
libebt_mark_m.c:112:28: warning: format '%x' expects argument of type 'unsigned
int', but argument 3 has type 'long unsigned int' [-Wformat=]
xt_xlate_add(xl, "and 0x%x
Phil Sutter wrote:
> The first two deal with incorrect/unexpected error messages, only the
> last one fixes a "real" issue.
>
> Phil Sutter (3):
> xtables: Fix typo in do_command() error message
> xtables: Clarify error message when deleting by index
> xtables: Fix error return code in
Trying to delete a rule by index from a non-existent chain leads to a
somewhat confusing error message:
| # iptables-nft -D foobar 1
| iptables: Index of deletion too big.
Fix this by performing chain existence checks for CMD_DELETE_NUM, too.
Signed-off-by: Phil Sutter
---
iptables/xtables.c
The first two deal with incorrect/unexpected error messages, only the
last one fixes a "real" issue.
Phil Sutter (3):
xtables: Fix typo in do_command() error message
xtables: Clarify error message when deleting by index
xtables: Fix error return code in nft_chain_user_rename()
If the chain to rename wasn't found, the function would return -1 which
got interpreted as success.
Signed-off-by: Phil Sutter
---
iptables/nft.c | 4 ++--
iptables/tests/shell/testcases/iptables/0004-return-codes_0 | 4
2 files changed, 6
This checks p->chain for existence, not cs->jumpto. Fixes this bogus
error message:
| # iptables-nft -t nat -A FORWARD -j ACCEPT
| iptables v1.8.1 (nf_tables): Chain 'ACCEPT' does not exist
Fixes: b6a06c1a215f8 ("xtables: Align return codes with legacy iptables")
Signed-off-by: Phil Sutter
---
Hi,friend,
This is Daniel Murray and i am from Sinara Group Co.Ltd Group Co.,LTD in Russia.
We are glad to know about your company from the web and we are interested in
your products.
Could you kindly send us your Latest catalog and price list for our trial order.
Best Regards,
Daniel
Signed-off-by: Pablo Neira Ayuso
---
iptables/nft.c | 26 +-
iptables/nft.h | 20 +++-
2 files changed, 24 insertions(+), 22 deletions(-)
diff --git a/iptables/nft.c b/iptables/nft.c
index d098068e01ca..dab7fbe235d2 100644
--- a/iptables/nft.c
+++
in the iptables universe, we enforce extrapositioned negation:
! -i foo
"-i ! foo" is not even supported anymore.
At least make sure that ebtables prints the former syntax everywhere as
well so we don't have a mix of both ways.
Parsing of --option ! 42 will still work for backwards compat
101 - 200 of 13251 matches
Mail list logo
